<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Auditing search queries | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'auditing-search-queries.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/auditing-search-queries.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/auditing-search-queries.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/auditing-search-queries.html" rel="nofollow" target="_blank">../en/auditing-search-queries.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="enable-audit-logging.html">Enabling audit logging</a></span>
»
<span class="breadcrumb-node">Auditing search queries</span>
</div>
<div class="navheader">
<span class="prev">
<a href="audit-log-output.html">« Logfile audit output</a>
</span>
<span class="next">
<a href="encrypting-communications.html">Encrypting communications »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="auditing-search-queries"></a>Auditing search queries<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>There is no <a class="xref" href="audit-event-types.html" title="Audit event types">audit event type</a> specifically
dedicated to search queries. Search queries are analyzed and then processed; the
processing triggers authorization actions that are audited.
However, the original raw query, as submitted by the client, is not accessible
downstream when authorization auditing occurs.</p>
<p>Search queries are contained inside HTTP request bodies, however, and some
audit events that are generated by the REST layer can be toggled to output
the request body to the audit log.</p>
<p>To make certain audit events include the request body, edit the following
setting in the <code class="literal">elasticsearch.yml</code> file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.audit.logfile.events.emit_request_body: true</pre>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>No filtering is performed when auditing, so sensitive data might be
audited in plain text when audit events include the request body. Also, the
request body can contain malicious content that can break a parser consuming
the audit logs.</p>
</div>
</div>
<p>There are only a handful of <a class="xref" href="audit-event-types.html" title="Audit event types">audit event types</a> that are
generated in the REST layer and can access the request body. Most of them are not
included by default.</p>
<p>A good practical piece of advice is to add <code class="literal">authentication_success</code> to the event
types that are audited (add it to the list in the <code class="literal">xpack.security.audit.logfile.events.include</code>),
as this event type is not audited by default.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Typically, the include list contains other event types as well, such as
<code class="literal">access_granted</code> or <code class="literal">access_denied</code>.</p>
</div>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="audit-log-output.html">« Logfile audit output</a>
</span>
<span class="next">
<a href="encrypting-communications.html">Encrypting communications »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>